VPN build with Web GUI

Well, I was wanting to set up a VPN between my parents and myself for off-site backup purposes, and I knew a non-GUI solution wouldn't cut it for them. So, I wrote one!

I really just did this out of my own necessity, so I'm not sure if anybody is interested. But, here goes nothing!

For the uninitiated, a VPN (Virtual Private Network) is a secure connection between two places that is sent encrypted over another network (most of the time this is the internet). By putting this on your router, you can have access to your LAN from anywhere with an internet connection (presuming you have the proper credentials). Or, if you place it on two routers, you can effectively bridge the two LANs together, making it appear to the LAN computers that it is one big LAN.

Features:

Based on Tomato 1.27 (ND also available)

OpenVPN 2.1.1 is compiled in and fully integrated as a system service.

LZO 2.0.3 is compiled in for VPN compression option

Two separately configurable instances of each clients and servers can be configured in the GUI

Sets up and tears down (including module insertion/removal) interfaces as appropriate to save memory

Automatically adds and removes firewall rules as needed.

Option to automatically start server/client with router

Option to redirect Internet traffic over tunnel

Options to accept/push DNS options.

Encryption cipher settings are available.

Client address allocation is handled via GUI.

Added capability to use hostnames in the access restrictions page (unrelated to VPN, but I wanted it)

and more...

All config, key, and cert files are generated in /etc/openvpn at run time, so you can take a look at them if you're curious/concerned. If you find something wrong with the generated files, let me know.

Now, Roadkill's VPN mod seemed to have a lot of changes that I wasn't interested in, so I started from scratch. If there is a feature he's added that you can convince me would be useful enough, I may add it.

If there are any more common/useful configuration options that you would like to see added to the GUI, again, just let me know.

I'll get the the sources all cleaned up and ready for distribution soon. But, as I'll be out of town for a bit, it will not be until sometime next week. I'll see if I can't quickly hammer out an automatic firewall solution as well.

I'll get the the sources all cleaned up and ready for distribution soon. But, as I'll be out of town for a bit, it will not be until sometime next week. I'll see if I can't quickly hammer out an automatic firewall solution as well.

:halo: I remember what the guys took me the first time I posted the mod ... anyway... welcome to the forum and as usual don't expect money but a lot of questions and also my congratulations for the job :biggrin:

I'm back in town and I'll get the sources up soon. And, as I stated this as soon as someone asked for the source, I don't think there's a problem there. Also, I don't think I made any changes to GPL code anyway...

edit: I take that back, I had to add a #include "ping.h" to an openVPN file to get it to compile. The rest is not GPLed.

In response to the requests for USB support in my VPN builds, I'm afraid I am going to decline. I don't have the hardware to test it. If there were another mod that had this feature completed[sup]1[/sup], I may consider offering a separate build with those changes included. But, in that case, I suppose it would make as much sense for the author of that build to include my changes instead.

[size=-2][sup]1[/sup]My definition of complete (such that I would consider including it) consists of relatively bug-free code with a working, user-friendly GUI.[/size]

I know one of the problems with roadkill's build was that it didn't support client-config-dir --> has anyone tried that command in their configs with this build? I will try and post in a bit.

Click to expand...

Hi SgtPepperKSU, Roadkill
first of all thank you for the great work...

I have a question:

is possible to generate a basic Tomato Vpn Mod version without web gui and other mods?
If it is not possible, could you write a little "how to" step by step? I have no enough skill to re-compile the source code but with an "how to" I can try.

I think many users like me needed original tomato version + vpn working 100%

I use config files on jffs partition and unfortunately "client-config-dir" and "ifconfig-pool-persist" seems not working on Roadkill Vpn Mod

is possible to generate a basic Tomato Vpn Mod version without web gui and other mods?

Click to expand...

Well, the only things besides the GUI and firmware integration I've included are LZO (for VPN compression) and OpenVPN. The GUI and firmware integration should not affect stability and you are free to not use them. The WebGUI provides a custom configuration section that is appended to the config file, or you can just use openvpn directly from ssh/telnet/scripts.[/quote]

I use config files on jffs partition and unfortunately "client-config-dir" and "ifconfig-pool-persist" seems not working on Roadkill Vpn Mod

Click to expand...

I don't know what is keeping those options from working with Roadkill's version, but perhaps more time should be spent understanding why before proceeding. It would be a shame to go through that work only to have the same problem. And, besides, if it is something simple to get working, I'm sure roadkill (and I, if it isn't working in mine) would be glad to make the changes to get it to work.

I just registered on the forum to say thanks for the build. It was just what i was looking for. Keep up the good work.

Click to expand...

No problem. Like I originally said, this was mainly just to satisfy my own need. I'm just glad there's someone else who finds it useful.

Be sure to let me know if you run into any problems, or if there are non-site-specific rules you are having to enter into the custom configuration field: it may be a candidate for inclusion in the GUI.

I'm a complete VPN newb, but I'm assuming you can set the router as a server and have a computer be a client if you're roaming on a foreign network, right? That's what I'd like to use VPN for, but I could never get roadkill's build to work for me.

If this is the case, could anyone write up a quick how-to? That'd be extremely helpful, and I'm sure I'm not the only one.

I'm a complete VPN newb, but I'm assuming you can set the router as a server and have a computer be a client if you're roaming on a foreign network, right? That's what I'd like to use VPN for, but I could never get roadkill's build to work for me.

If this is the case, could anyone write up a quick how-to? That'd be extremely helpful, and I'm sure I'm not the only one.

Click to expand...

That's actually the way I've been using it lately.

The simplest way for a small VPN (one server, few clients) is static key encryption.

On the router:

Interface Type: tap (tun would require you set up routes manually)

Port: 1194 (or whatever you want)

Protocol: UDP (TCP if you'll be going through an http proxy on the client side)

If you run into problems, have a look at the log on the client. If that appears to be attempting a connection and failing, have a look at the router's system log (Status->logs in the GUI) for lines that contain "openvpn".

FYI: Sometime in the near future I'll be working on a new build with an updated OpenSSL in order to support the AES cipher with OpenVPN. If anybody has noticed any needed changes to the GUI, now would be a good time to say so to get it included in that build. :smile:

Support for the openvpn management interface including the definition of the keyfile might be something worth putting into the gui. And if you can go the extra mile and actually expose the management interface (so have a list of connected clients with connection time, data transferred, bandwidth used and the ability to disconnect them).

Furthermore I was thinking what you need two server or client instances for, and besides exposing the same service on two ports using different protocols, I figure you'd be most likely dealing with site to site stuff..and that opens a whole can of worms on topics like subnetting. The device is perfectly capable of handling multiple subnets including the routing in between if needed, as well as dhcp but nothing like that is exposed in a gui.
Similarly, you could imagine using multiple tunnels to connect to different networks and expose them on different ports on the router (I have a bunch of routers configured like that) which brings us to vlans, and which in turn could bring us back to subnetting.
And both topics also lead to firewalling and that lack for an on device management thereof.

I realize I've gone really far with that, but I suppose many of those topics will come up when you start dealing with VPN tunnels.

Support for the openvpn management interface including the definition of the keyfile might be something worth putting into the gui. And if you can go the extra mile and actually expose the management interface (so have a list of connected clients with connection time, data transferred, bandwidth used and the ability to disconnect them).

Click to expand...

Perhaps down the line. For now, there is a server<1|2>.status file that is updated every minute in the /etc/openvpn folder with connected client information (including conneciton time and data transferred). No way to disconnect individual client, however.

Furthermore I was thinking what you need two server or client instances for, and besides exposing the same service on two ports using different protocols

Click to expand...

That's the reason I added the two servers. I have an occasional client that is behind an http proxy (TCP) but want to run the site-to-site connections as UDP. The two clients is because I have two remote sites to site-to-site to my own.

I figure you'd be most likely dealing with site to site stuff..and that opens a whole can of worms on topics like subnetting. The device is perfectly capable of handling multiple subnets including the routing in between if needed, as well as dhcp but nothing like that is exposed in a gui.
Similarly, you could imagine using multiple tunnels to connect to different networks and expose them on different ports on the router (I have a bunch of routers configured like that) which brings us to vlans, and which in turn could bring us back to subnetting.
And both topics also lead to firewalling and that lack for an on device management thereof.

Click to expand...

The GUI as it is today is for pretty simple setups. If you're getting into more complicated scenerios, you probably have the know-how to use the "Custom Configuration" section in concert with the various scripts.
Though, if you wrote a patch to enable all of that in the GUI, I'd definitely consider incorporating it :smile:

Im kind of new to both Tomato firmware and OpenVPN. I used DD-WRT for the past six months and it worked great, but now i'd like to access my home network from work via VPN. I couldn't get i working on DD-WRT, so I decided to give Tomato a go, but the same thing happens when I'm activating the VPN-server.

Im kind of new to both Tomato firmware and OpenVPN. I used DD-WRT for the past six months and it worked great, but now i'd like to access my home network from work via VPN. I couldn't get i working on DD-WRT, so I decided to give Tomato a go, but the same thing happens when I'm activating the VPN-server.

That certainly is odd. Could you post any messages in your router log from around the time this happens?
What do you mean by "dead", do connections just get dropped? Does the radio get disabled altogether? Does the wireless light on the front of your router turn off? If you turn off the VPN server, does the wireless come back? So, in general, more information would be helpful.

I still don't know what caused it, but when i erased all NVRAM memory under "Administration/Resore Default Configuration/Erase all data in NVRAM memory (thorough)" and just went through every setting again it started working. Strange..

Hmm, that all looks pretty good. Does the client show up in the server's device list? Can you SSH to each and capture an ifconfig? And, to be sure, you are pinging from client-side to server-side, right? From a PC or from the router?

Hmm, that all looks pretty good. Does the client show up in the server's device list? Can you SSH to each and capture an ifconfig? And, to be sure, you are pinging from client-side to server-side, right? From a PC or from the router?

Click to expand...

tried pinging from both router and clients. no luck
nope it doesnt show up in device list
im not using dhcp btw if that matters, guess not.

im gonna try that when im coming home today.
brctl addif br0 tap0 , should be tap11 in my case right?
When im setting up the vpn from router gui interface, is the tap interface added to the bridge then? on some router i get tap11 and on others i get tap20, is it random generated?

im gonna try that when im coming home today.
brctl addif br0 tap0 , should be tap11 in my case right?
When im setting up the vpn from router gui interface, is the tap interface added to the bridge then? on some router i get tap11 and on others i get tap20, is it random generated?

yes it did the route add command aswell, no luck
i tried connect with with VPN windows client to the serverouter, works just fine.. well there is no routing involed..
router-router works fine aswell, its when bridging it :[

EDIT: if i dont remove the tunnel from the bridge, [leave it default] and pinging the serverrouter, i dont get any answer
but
br0 00:FF:EF:E8:05:BC 192.168.1.75
is coming up on the serverrouters devices list

Have you had a chance to try the iptables commands (with and without the interface removed from the bridge)?

Sorry for all of the trial and error here; I haven't had a chance to try a site-to-site yet. I should have access to one of my remote sites before too long, and I will try and hammer this out myself then. But, if we get it worked out now, all the better!

yeah i tried iptables -vL before and after removing the interface..
nothing changed

Click to expand...

That just lists the iptables rules. I was referring to the iptables commands in post 51. But, if you've also tried those, I'm afraid I'll just be grasping at straws. You may try to search the web for bridged site-to-site OpenVPN how-tos to see if you find a combination of things that work. That's all I would be doing from here.

If you do find something that works, let me know and I'll incorporate it into a build. I'll see if I can get access to a remote router sooner than later so I can try some of this out myself.

That how-to uses "Routed" (TUN) not "Bridged" (TAP) devices. If TUN is acceptable for you (only IP traffic can cross it, if I understand correctly), you may try setting both client and server to TUN and placing the route commands in the custom configuration section. TUN setups don't have any bridging involved, so it may solve the problem. I was trying to get TAP to work because there's no reason why it shouldn't.

The push commands on the server are the same thing as putting it (without the push keyword) on the client. And, we already tried that.

Like I said, though, I'll try getting a setup going that I can play with to get this figured out, but that will likely be at least a couple of days. :frown:

Though, if you wrote a patch to enable all of that in the GUI, I'd definitely consider incorporating it

Click to expand...

if tomato ran asp.net I'd probably invest the time to learn iptables better but as it is, it's not really my cup of tea.
If you ever entertain the notion of adding the gui, I've done some vlan and multiple dhcp server stuff so at least there I have some knowhow to help you get started.

Firstly, thanks for making the GUI version of this mod.
I've had the TAP version up and running - site-to-site, but ran into a few DHCP/DNS niggles, with everything being broadcast over one subnet. So, I reconfigured to the TUN option - which is giving me 90% of the funcionality i wanted.

With TUN, the main thing i`m missing now is the ability to communicate with machines behind the client, caused by the CCD options not working.

Is there any word on why the client-config-dir and ifconfig-pool-persist ipp.txt are not working on Tomato firmware(posts suggest roadkill's version suffered from the same issue)?
ifconfig-pool and ccd-exclusive seem also not to work, but they're less important(to me).

Also, a small note: i think the 'Duplicate-CN' setting in the server config should be left to set by the user. Had the CCD options worked, having duplicate-CN set would have conflicted with my settings.

Firstly, thanks for making the GUI version of this mod.
I've had the TAP version up and running - site-to-site, but ran into a few DHCP/DNS niggles, with everything being broadcast over one subnet. So, I reconfigured to the TUN option - which is giving me 90% of the funcionality i wanted.

Click to expand...

Could you share how you got site-to-site TAP working? I've been unsuccessful in trying to get diggyz up-and-running in that regard.

With TUN, the main thing i`m missing now is the ability to communicate with machines behind the client, caused by the CCD options not working.

Is there any word on why the client-config-dir and ifconfig-pool-persist ipp.txt are not working on Tomato firmware(posts suggest roadkill's version suffered from the same issue)?
ifconfig-pool and ccd-exclusive seem also not to work, but they're less important(to me).

Click to expand...

I haven't tried client-config-dir yet, but I can't think of a reason they wouldn't work (completely trust that they don't, just can't think of why). Do you get error messages in your logs when you try to use it?

Also, a small note: i think the 'Duplicate-CN' setting in the server config should be left to set by the user. Had the CCD options worked, having duplicate-CN set would have conflicted with my settings.

Click to expand...

I'll change that to an option in future releases. Thanks for the feedback!

Alright. This is from my less than reliable memory, so apologies if there are any errors . Most of this config is taken care of by scripts on the GUI version (ie. VPN mode, protocol, port etc are all set to what you've entered in the UI, and the other necessary config parameters will be created automatically).

You will need to add the following rule to the (administration->scripts->)firewall, to allow incoming VPN connections:

Code:

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

Router #2 - VPN Client
Again, very little needed here that isn't setup by default. Enter the server address in the GUI, then put the following in custom configuration:

Code:

# Set aaa.bbb.ccc.ddd to any free IP on the servers network.
# Select something outside the scope of the servers DHCP pool.
ifconfig aaa.bbb.ccc.ddd 255.255.255.0

Enter your client key/cert details.

One extra step I did take, is that once the client had connected and was visible in device list, I'd take the MAC address and assign it a static ip in the 'Static DHCP' section.

That's it! I can't remember it being any more complicated than that for me, no special routing/firewall rules were needed as it is acting literally like an Ethernet switch.

The problems I had with this setup were as follows: my work (server) had the ip range 192.168.99.0/24 and my home network(client) had the ip range 192.168.1.0/24. Both routers had DHCP enabled, as both routers needed to tend to their own networks when the tunnel wasn't in use. When additional clients connected to the VPN, the router that allocated the new client an ip and therefore the clients ip/subnet seemed random - whichever router happened to get there first. I could have perhaps tied this down with some additional routing for ports 67/68, or there are perhaps DNSmasq parameters that would take care of this.

TUN configuration - CCD problems
I`ll keep my TUN config out of this post for clarity, but a note on the CCD issue:

Code:

client-config-dir ccd - these files are never read/executed.
ifconfig-pool-persist ipp.txt - no entries are ever made to this file.
ifconfig-pool - doesn't seem to work - doesn't set the scope of the VPN's DHCP
ccd-exclusive - works, but as it enforces non working CCD, the server has no way then to allocate IP's.

CCD is needed primarily for static VPN ips, and to configure routes back to the clients with the 'iroute' parameter. Getting everything to work with firewall rules alone gets complicated.

** EDIT:
Okay, I checked the logs:

Code:

Oct 19 22:49:29 unknown daemon.warn openvpn[687]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Oct 19 22:49:29 unknown daemon.warn openvpn[687]: WARNING: --ifconfig-pool-persist will not work with --duplicate-cn

This is after setting vpn_debug=1 in nvram(committing & rebooting) and removing the dulicate-cn line in server1.ovpn. Any manual edits to the server config file are overwritten by the defaults + GUI custom config entries when restarting the service through either the GUI or command line.

Alright. This is from my less than reliable memory, so apologies if there are any errors .
<snip>
That's it! I can't remember it being any more complicated than that for me, no special routing/firewall rules were needed as it is acting literally like an Ethernet switch.

Click to expand...

Hmmm, that's all I was thinking it would take. But, alas, we've tried that with diggyz without positive results. I have a remote router to experiment with now, so perhaps I'll be able to get to the bottom of it.

client-config-dir ccd - these files are never read/executed.
ifconfig-pool-persist ipp.txt - no entries are ever made to this file.
ifconfig-pool - doesn't seem to work - doesn't set the scope of the VPN's DHCP
ccd-exclusive - works, but as it enforces non working CCD, the server has no way then to allocate IP's.

Click to expand...

Where did you create ccd? You should try giving the absolute path to it (ie /etc/openvpn/ccd, if that's where it is). Same thing with ipp.txt. I guess to make things easier for the cusom config section, I could use "--cd /etc/openvpn" in my openvpn call to make everything look there by default.

This is after setting vpn_debug=1 in nvram(committing & rebooting) and removing the dulicate-cn line in server1.ovpn. Any manual edits to the server config file are overwritten by the defaults + GUI custom config entries when restarting the service through either the GUI or command line.

Click to expand...

I have already made the changes in my local builds to have duplicate-cn be optional. In the meantime, though, you can hand-edit the ovpn file to get rid of that entry. However, you should use

Code:

/etc/openvpn/vncserver1 --config /etc/openvpn/server1.ovpn

instead to start it so that it will not regenerate the config file.

I'll try and get a build out in the next couple of days that will fix the duplicate-cn directive as optional. I didn't realize it would conflict with other options before.

remote is set up very simply and with settings like the above. i also added a line to the firewall script to make a hole for port 1194.

any pointers?

Thanks! flatulently,
commander flatus

Click to expand...

Well, I think that error code indicates a firewall problem, not a VPN problem. Make sure you are using the same port number on the server, firewall script, and client (and you should probably explicitly name a port rather than rely on defaults there). Also, the same goes for protocol (both that it needs to be the same in all three places and that you should specify it on the client).

Also, I don't think it's even getting this far, but you should specify comp-lzo in your client config. I'll probably change that to an option for the next release (don't know why I didn't to begin with), but for now the server is set up to use LZO compression on the VPN link.

Try those things. If you are still having a problem, post back (in a new thread, this one is getting a bit crowded) with your settings on both sides and logs from both sides. Also, if one of the above works, please post a little note back saying which it was so if somebody else gets the same error, they will know a possible solution.

Hi,
Thank you for your great work. As I want to connect 3 routers using tun(s) into "family" network, I am interested in Sunjon conclusions (client-config-dir seems to be important). Currently, I do not have devices in place to do the experiment myself.
Have you considered to add tls-auth key to GUI? I believe I am not paranoid, but from HOWTO it looks like the security is much better with it (DoS attacks, port flooding and scanning). Anyway, I hope it is still possible to add the key in Init Script.

Have you considered to add tls-auth key to GUI? I believe I am not paranoid, but from HOWTO it looks like the security is much better with it (DoS attacks, port flooding and scanning). Anyway, I hope it is still possible to add the key in Init Script.

Click to expand...

I'll keep that in mind for possible future additions. In the meantime, though, there shouldn't be any reason you couldn't generate the file in the Init Script and add the tls-auth directive in the Custom Configuration section.

Seems so simple, yet we didn't try using the opposing router as a gateway to the rest of the network... Let me know if it works for you, too.

Click to expand...

I did what i said it now its working great =) thanks alot for taking your time.
i was thinking about the gateway aswell but didnt know how to add it correctly.
Is this something u can include in the build in someway?

I did what i said it now its working great =) thanks alot for taking your time.
i was thinking about the gateway aswell but didnt know how to add it correctly.
Is this something u can include in the build in someway?

Click to expand...

Glad it works, and there wasn't some other change I had made and couldn't remember :wink:

I'll definitely get something in a a build to get this to work automatically. However, I think the "right" way would be to add the routes in the openvpn config file, and I'll experiment on getting that working properly.

duplicate-cn and client-to-client no longer autogenerated in config file

You can still add them to Custom Configuration if you need them

They don't do any good without some custom config anyway

The TUN (or TAP across different subnets) tunnels are only client->server (server LAN can't see client LAN) without Custom Configuration because a NAT is set up on the client side (optional via GUI). Without this NAT, the server side would need to have configuration settings specific to each client. If I did this automatically, it would be difficult to add your own settings in this manner on top of it. So I felt this was a good compromise. You can either a) set up two tunnels one each way or b) set up a client-config-dir setup.

Known limitations:

None that I am aware of. If you find, some let me know.

Sorry this update took so long. It took me a little while to settle on a compromise with what to do about automatic configuration of tunnels connecting different subnets. Also, since my day job is also firmware development, some days it is hard to convince myself to spend my free time doing it as well.

Sorry about that. I saw your question, but got busy and assumed someone in that thread would have answered.

As you can see from the OpenVPN HOWTO on generating certificates, you just need to generate it using the same set of tools used to generate your certificates. Assuming you used the easy-rsa utilities that come with OpenVPN, you just need to run the "build-dh" executable.

Your signature says you are running 1.21.0013. Since you obviously have OpenVPN included, I assume this either isn't correct or it is different VPN build. So, I'm not sure how much help I'll be able to give, but I'll try.

Please open a new thread, and include more of your log file (is there anything about failing to create a TAP interface before the OpenVPN entries?), and we'll see if we can straighten it out.

Could you list exactly which firewall rules are set? I've a few manually set rules for my tunnel, and would like to remove any duplicates.

SgtPepperKSU said:

Also, since my day job is also firmware development, some days it is hard to convince myself to spend my free time doing it as well.

Let me know what you think, and what can be improved. :smile:

Click to expand...

Thanks for the update, much appreciated as always.

The GUI is looking comprehensive and my TUN setup is working fine, with only a few lines for CCD in my custom config. So no immediate improvements spring to mind. I did try a different config parameter today though - "client-connect" , which failed to work (and stopped the server from running). It's used to run scripts on the router when clients connect(duh!), similar to the "up" and "down" parameters that can also be set.

This appears in the logs when any of these script running parameters are set:

Code:

openvpn_execve: external program may not be called due to setting of --script-security level
script failed: external program fork failed

This post explains that running these scripts is disabled in current builds of openVPN, and that to enable them you have to set a flag when compiling.

On a separate note, do you have any advice to offer on how I'd go about including samba-server(running as a WINS server) in my tomato setup. It's 'related' in that it would solve my shared folder over TUN VPN issues that i mentioned here.

Could you list exactly which firewall rules are set? I've a few manually set rules for my tunnel, and would like to remove any duplicates.

Click to expand...

While the server/client is running, you can ssh/telnet to the router and there will be a (server|client)[12]-fw.sh file that contains the iptables rules that were applied. On stopping the service, the -A and -I entries are turned to -D and the file is re-executed to remove the rules. If the vpn_debug nvram option is set, that file (with -Ds) will remain.

The GUI is looking comprehensive and my TUN setup is working fine, with only a few lines for CCD in my custom config. So no immediate improvements spring to mind. I did try a different config parameter today though - "client-connect" , which failed to work (and stopped the server from running). It's used to run scripts on the router when clients connect(duh!), similar to the "up" and "down" parameters that can also be set.

Click to expand...

I had seen the client-connect option and thought it looked like a good alternative to client-config-dir (since you can also use it to dynamically add server options on client connect). I had not tried it, though, and didn't realize it needed a special option at source configuration time. I will research that some and weigh any pros/cons on adding that flag for the next release. Thanks for bringing that to my attention.

On a separate note, do you have any advice to offer on how I'd go about including samba-server(running as a WINS server) in my tomato setup. It's 'related' in that it would solve my shared folder over TUN VPN issues that i mentioned here.

Click to expand...

While I probably won't include it in this build, it may be interesting for another custom tomato version (probably not by me, though, as my routers don't have external storage attached). The general steps would be

Download samba sources

Configure sources for mips and any other non-default options you'd want

Add sources to tomato source tree and add it to the appropriate makefile

That's pretty much it. Of course, it's the unexpected complications that could possibly make it difficult.

so all I need to do to get this running is re-flash my router with the bin file?

Click to expand...

Pretty much. Once you do, there will be a "VPN Tunneling" section in the web GUI for configurations.

However, there have been a couple of reports of problems with wireless if you don't clear NVRAM after flashing. So, if you start having strange problems, you should do a thorough NVRAM clear and reconfigure.

Had a quick question -- how are you testing your firmware out? I want to try compiling the firmware myself (would like to combine your mod with the speedmod), but I don't want to risk bricking my router unnecessarily. I searched the forums and google and saw a little bit about a program called bosch -- but it seems pretty complicated to just setup the env. would love to know how you set up your test environment.

Also - a quick note and a tad nitpicky - certificate is misspelled in "Certifate Authority" in your vpn tunneling gui (i noticed it a while ago but not fixed in 0017)

Another small quirk -- the server address field is character limited -- however openvpn supports name resolution (i.e the use of ddns addresses) and I can't fit my address in that spot

I just noted something else that was missing from the config window (for me).

I use the tls-auth command (which is an additional handshake at the beginning) and it requires a static key (in addition to the certificate keys). Unfortunately with your gui, I can't add the static key in if I want to; do you think it would be possible to add a box for the tls-auth key and an option for authorization with TLS + Auth key

I just noted something else that was missing from the config window (for me).

I use the tls-auth command (which is an additional handshake at the beginning) and it requires a static key (in addition to the certificate keys). Unfortunately with your gui, I can't add the static key in if I want to; do you think it would be possible to add a box for the tls-auth key and an option for authorization with TLS + Auth key

If you aren't planning on adding this command to the gui, is there a way I can paste the key into the custom config so it creates it for me?

Click to expand...

I should be able to add that. Currently, I reuse the same data for both server key and static key to save creating even more nvram variables. But, sicne that seems like a reasonable feature, I'll go ahead and divorce the two.